Saturday, July 11, 2020

Filling in the blanks: Ministerial Authorizations

In this blog post I'm going to try to identify the subject of the three Ministerial Authorizations (MAs) that CSE has used in recent years to enable its SIGINT program to operate.

Since the passage of Bill C-36 in 2001 gave CSE its first statutory mandate, the agency has used MAs to ensure that its SIGINT (and cyber defence activities) can incidentally intercept "private communications" without breaking the law. (For the purposes of the Criminal Code, private communications are communications that begin and/or end in Canada for which a reasonable expectation of privacy exists. Phone calls, e-mails, and text messages with at least one end in Canada are all examples of private communications.) The passage of Bill C-59 in 2019 altered the details of this regime, but its fundamentals remain the same: ministerial authorizations, now called Foreign Intelligence Authorizations and Cybersecurity Authorizations, remain necessary to enable CSE to operate legally.

These MAs have a duration of one year, after which they are renewed or replaced by a new MA. In 2011-12, CSE operated with eight MAs, six to cover SIGINT activities and two to cover cybersecurity activities. Since December 2012, however, CSE has obtained just four MAs per year, three for SIGINT and one for cybersecurity.

What the numbers are now under the new C-59 regime remains to be revealed.

My guess is that the number of Cybersecurity authorizations will increase. The number of SIGINT/Foreign Intelligence authorizations could also do so, but I'm less confident of that. The three SIGINT MAs that CSE standardized on in 2012 already covered every CSE collection activity that might risk the acquisition of a private communication, and it's possible that the Foreign Intelligence MAs will essentially be reflagged versions of those previous MAs. But the new authorizations are potentially broader, as they cover "any activity specified in the authorization in the furtherance of the foreign intelligence aspect of [CSE's] mandate." This includes all acquisition of information for the foreign intelligence program, other than publicly available information for which no reasonable expectation of privacy exists, whether or not private communications are potentially in play. So maybe we'll see more than three.

Presumably we'll find that out whenever the first public report of the new Office of the Intelligence Commissioner appears. CSE could easily have reported the numbers itself in its recent annual report, but that's just not the way the agency rolls.

Anyway. Back to the topic at hand.

CSE does a lot of different kinds of SIGINT collection activity, both directly and through the Canadian Forces Information Operations Group (CFIOG), so it's worth considering how the agency has managed to shoehorn all that stuff into just three annual SIGINT MAs since 2012.

The short answer is that the MAs cover classes of activities rather than individual collection programs.

Unfortunately, all information concerning how those classes are defined has always been withheld by the agency. See, for example, this memo discussing the switch from eight to four MAs in 2012.

Back in 2015 I concluded that one of those MAs was focused on the agency's Computer Network Exploitation (CNE) program, as I explained here.

But I was less sure about the other two SIGINT MAs, speculating that they might be divided between traditional circuit-switched communications, like telephone landlines, and the packet-switched communications used on the Internet.

I now think that was wrong. I recently reviewed this 2013 document and had an epiphany.

See how the telecommunications data collected by CSE is broken down into three broad sources? Computer-based sources—accessible through CNE activities—and two others?

Here's what I think CSE's three SIGINT MAs may be.

The first MA—Radio Frequency Collection—pertains to traffic transmitted through the air (e.g., satellite beams, HF/VHF/UHF or microwave radio traffic, cell phones, etc), which can therefore be collected using antennas, and the second—Cable Access Collection—pertains to traffic transmitted through cable systems, which thus requires hardware or software implants, physical intercept points, or the cooperation of telecommunications carriers for its collection. The third, as I thought before, pertains to CNE activities.

Now, I don't know for certain that these guesses are correct.

But I'm pretty confident that they are, although the wording I chose may or may not be quite right.

And I'm also confident that if CSE were to reveal that those categories are indeed the ones that define its SIGINT MAs, that information would reveal precisely nothing about CSE's sources and methods that the agency's targets don't already either know for a fact or at least take as a given.

Thursday, July 09, 2020

More on the Annual Report

A couple of additional comments on CSE's recent Annual Report (previous comments here):

Among the handful of new things the report tells us is that CSE recently adopted a new five-year plan, CSE 2025, which "lays out CSE’s five-year strategic horizon to guide investments and operations in a way that directs our focus on delivering national-level results and mitigating national-level risks."

Unfortunately, the explanatory sentences that follow explain nothing, other than that CSE intends to pursue the elements of its mandate over the next five years.

Seems like a sound plan.

But they do introduce some interesting language. Most notably, we are told that one the goals of the agency is to provide an information advantage for Canada’s "security, prosperity and competitiveness".

This is a new formulation in CSE's public messaging, and it must be important to the agency as it appears four times in the text of the report and also as a subhead. It also ends up inserted in the mouth of the minister in the press release introducing the report.

The agency's previous watchwords were security, prosperity, and stability (see, e.g., here and here).

I'm not sure what to make of the fact that competitiveness has displaced stability on the agency's list of lodestars—maybe they took a look at the world and gave up on stability?—but it's striking that two of the three words now refer to economic matters.

Economic issues last moved to the top of CSE's agenda in the 1990s, when the end of the Cold War nullified the agency's prior focus on the Soviet Union. They were displaced in their turn after 9/11 by counter-terrorism and support to military operations. The latter topics surely remain high on CSE's to-do list, but it seems likely they no longer hold the all-important position they once did.

Is the economy moving back to the top of the list?

Another new slogan or vision statement or something appears in CSE Chief Shelly Bruce's introductory message at the beginning of the report: "We are one CSE, known and trusted".

I assess with moderate confidence that this is not intended to be a statement of current fact, so presumably it is a goal, meant to highlight the indivisibility of the SIGINT and cybersecurity sides of the agency (and perhaps the new cyber operations part too?) and set a target for the future. It seems to express a hope that the Cyber Centre will become better known and trusted, and that it won't defect to become its own organization but will instead share the benefits of its growing renown and trustedness with the currently little-known and little-trusted SIGINT side.

I could make some sort of comment here about how in my view the agency is not at all likely to become either better known or more trusted as long as it keeps dispensing PR pablum instead of living up to its professed commitment to transparency, but—well, I guess I just did.